Skip to main content

Recent updates to Prometei botnet reveal enhanced modules and expanded capabilities


The Prometei botnet has been an ongoing threat since Cisco Talos first reported on it in 2020. As of November 2022, the botnet has improved its infrastructure components and capabilities, including certain submodules of the execution chain that automate processes and challenge forensic analysis methods. Based on data obtained by sinkholing the DGA domains over a one-week period in February 2023, the Prometei v3 botnet is estimated to be of medium size, with more than 10,000 infected systems worldwide. The actors have been actively spreading improved Linux versions of the bot, continuously improving the current version.

Recent observations have revealed previously undocumented functionality, such as an alternative C2 domain generating algorithm, a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell deployed onto victim hosts, improving the overall technical capabilities of the botnet. Additionally, the bot's targeting may have been influenced by the war in Ukraine, as the only excluded country in the Tor configuration is Russia, as opposed to earlier variants, which also avoided exit nodes in other CIS countries.

Prometei primarily deploys the Monero cryptocurrency miner and has worm-like capabilities, posing a persistent threat to organizations. Talos has observed the botnet's financial motivation through cryptocurrency mining and credential theft activity, with infections likely opportunistic, targeting vulnerable entities in all regions and industry verticals.

Based on data acquired through sinkholing the DGA domains, the geographical distribution of infected systems is proportional to the population of the countries, with traffic captured from 155 countries. The most populous countries have the largest number of infected systems, with exceptions in Brazil, Indonesia, and Turkey displaying a higher proportion of infections compared to those countries' populations. Russia stands out as having a disproportionately smaller number of infections, accounting for 0.31 percent of all infected systems, supporting the assessment that the bot's targeting is influenced by the Russia-Ukraine conflict based on its Tor configuration.

The Prometei threat remains ongoing and is expected to evolve for the foreseeable future. The botnet's common C2 infrastructure continues to show a steady stream of activity, with the operators consistently rotating its malware and cryptomining hosts. The regular updating and expansion of Prometei's modules demonstrate commitment and technical knowledge that will enable them to continue proliferating the botnet to new victims and adapting to new defenses and protections. The addition of backdoor capabilities and a bundled web shell could indicate the operators' efforts to add persistence measures to keep Prometei active on targeted machines or a gradual shift or expansion to other types of payloads and activity.

Comments

Popular posts from this blog

WannaRen, died in past reborn in present now targeting India

Credit: Trend-micro Originally WannaRen discovered in 2020 when it is used against Chinese internet users. it is used for a very short time-span but damaged a lot in that short time than ransomware author shared the decryption keys to a security company in August 2020 and we believe that it was the end of WannaRen ransomware. October 2022 Trend Micro team discovered "Life ransomware" which they believe may be a new variant of WannaRen. New Variant targeted Indian organizations .

Prilex: The Most Advanced PoS Malware with the Ability to Block Contactless Payments

Prilex is a highly advanced malware that has evolved from ATM-focused malware into a unique modular PoS malware, known to be the most advanced PoS threat seen so far. It has a unique cryptographic scheme, performs real-time patching in target software, forces protocol downgrades, manipulates cryptograms, performs GHOST transactions and performs credit card fraud. Recently, three new versions of Prilex have been discovered with the ability to block contactless payment transactions, which have become popular due to the pandemic. These new versions block NFC-based transactions and force victims to use their physical card by inserting it into the PIN pad reader, which allows the malware to capture the data coming from the transaction.

Newcomers to the Cybersecurity Space: Opportunities Abound for Those Willing to Learn and Adapt to an Evolving Industry

There are several key roles within the cyber security field that are in high demand in the job market. Some of the top profiles in the market include: Cybersecurity Analyst: These professionals are responsible for identifying, assessing, and mitigating security threats to an organization's computer systems and networks. Penetration Tester: Also known as ethical hackers, these professionals are hired to test the security of an organization's systems and networks by simulating a cyber attack. Security Engineer: These professionals design, develop, and implement security systems and solutions to protect an organization's networks and data. Security Operations Center (SOC) Analyst: These professionals monitor and analyze security data to detect and respond to potential security threats and incidents.